IBM, AIX, EtherJet, Netfinity, OS/2, PowerPC, PS/2, S/390, and ThinkPad are trademarks
of International Business Machines Corporation in the United States, other countries, or
both.

IEEE, POSIX, and 802 are registered trademarks of Institute of Electrical and
Electronics Engineers, Inc. in the United States.

Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States and
other countries.

Sparc, Sparc64, SPARCEngine, and UltraSPARC are trademarks of SPARC International, Inc
in the United States and other countries. Products bearing SPARC trademarks are based
upon architecture developed by Sun Microsystems, Inc.

Many of the designations used by manufacturers and sellers to distinguish their
products are claimed as trademarks. Where those designations appear in this document, and
the FreeBSD Project was aware of the trademark claim, the designations have been followed
by the ``™'' or the ``®'' symbol.

The release notes for FreeBSD 5.4-RELEASE contain a summary of the changes made to the
FreeBSD base system since 5.3-RELEASE. This document lists applicable security advisories
that were issued since the last release, as well as significant changes to the FreeBSD
kernel and userland. Some brief remarks on upgrading are also presented.

This document contains the release notes for FreeBSD 5.4-RELEASE on the AMD64 hardware
platform. It describes recently added, changed, or deleted features of FreeBSD. It also
provides some notes on upgrading from previous versions of FreeBSD.

All users are encouraged to consult the release errata before installing FreeBSD. The
errata document is updated with ``late-breaking'' information discovered late in the
release cycle or after the release. Typically, it contains information on known bugs,
security advisories, and corrections to documentation. An up-to-date copy of the errata
for FreeBSD 5.4-RELEASE can be found on the FreeBSD Web site.

This section describes the most user-visible new or changed features in FreeBSD since
5.3-RELEASE. In general, changes described here are unique to the 5-STABLE branch unless
specifically marked as [MERGED] features.

Typical release note items document recent security advisories issued after
5.3-RELEASE, new drivers or hardware support, new commands or options, major bug fixes,
or contributed software upgrades. They may also list changes to major ports/packages or
release engineering practices. Clearly the release notes cannot list every single change
made to FreeBSD between releases; this document focuses primarily on security advisories,
user-visible changes, and major architectural improvements.

A bug in the fetch(1)
utility, which allows a malicious HTTP server to cause arbitrary portions of the client's
memory to be overwritten, has been fixed. For more information, see security advisory FreeBSD-SA-04:16.fetch.

A bug in procfs(5) and linprocfs(5)
which could allow a malicious local user to read parts of kernel memory or perform a
local denial of service attack by causing a system panic, has been fixed. For more
information, see security advisory FreeBSD-SA-04:17.procfs.

Two buffer overflows in the TELNET client program have been corrected. They could have
allowed a malicious TELNET server or an active network attacker to cause telnet(1) to
execute arbitrary code with the privileges of the user running it. More information can
be found in security advisory FreeBSD-SA-05:01.telnet.

A information disclosure vulnerability in the sendfile(2)
system call, which could permit it to transmit random parts of kernel memory, has been
fixed. More details are in security advisory FreeBSD-SA-05:02.sendfile.

A possible privilege escalation vulnerability on FreeBSD/amd64 has been fixed. This
allows unprivileged users to gain direct access to some hardware which cannot be accessed
without the elevated privilege level. More details are in security advisory FreeBSD-SA-05:03.amd64.

An information leak vulnerability in the SIOCGIFCONFioctl(2), which
leaked 12 bytes of kernel memory, has been fixed. More details are in security advisory
FreeBSD-SA-05:04.ifconf.

Several programming errors in cvs(1), which
could potentially cause arbitrary code to be executed on CVS servers, have been
corrected. Further information can be found in security advisory FreeBSD-SA-05:05.cvs.

The jail(8) feature
now supports a new sysctl security.jail.chflags_allowed,
which controls the behavior of chflags(1)
within a jail. If set to 0 (the default), then a jailed root user is treated as an unprivileged user; if set to 1, then a jailed root user is treated the same as an unjailed root user.

A framework for flexible processor speed control has been added. It provides methods
for various drivers to control CPU power utilization by adjusting the processor speed.
More details can be found in the cpufreq(4)
manual page.

Several programming errors in the sk(4) driver have
been corrected. These bugs were particular to SMP systems, and could cause panics, page
faults, aborted SSH connections, or corrupted file transfers. More details can be found
in errata note FreeBSD-EN-05:02.sk.

The sk(4) driver now has
support for altq(4). This
driver also now supports jumbo frames on Yukon-based interfaces.

The MTU feedback in IPv6 has been disabled when the sender writes data that must be
fragmented.

The Common Address Redundancy Protocol (CARP) has been implemented. CARP comes from
OpenBSD and allows multiple hosts to share an IP address, providing high availability and
load balancing. For more information, see the carp(4) manual
page.

The ipfw(4) system
can work with debug.mpsafenet=1
(this tunable is 1 by default) when the gid, jail, and/or uid rule options are used.

The ipfw(8)ipfw fwd rule now supports the full packet destination manipulation
when the kernel option options IPFIREWALL_FORWARD_EXTENDED is
specified in addition to options IPFIREWALL_FORWARD. This kernel
option disables all restrictions to ensure proper behavior for locally generated packets
and allows redirection of packets destined to locally configured IP addresses. Note that
ipfw(8) rules
have to be carefully crafted to make sure that things like PMTU discovery do not
break.

Random ephemeral port number allocation has led to some problems with port reuse at
high connection rates. This feature is now disabled during periods of high connection
rates; whenever new connections are created faster than net.inet.ip.portrange.randomcps per second, port number
randomization is disabled for the next net.inet.ip.portrange.randomtime seconds. The default values for
these two sysctl variables are 10 and 45, respectively.

The SHSEC GEOM class has been added. It provides for the sharing of a secret between
multiple GEOM providers. All of these providers must be present in order to reveal the
secret. This feature is controlled by the gshsec(8)
utility.

Information about newly-mounted cd9660 file systems (such as the presence of RockRidge
extensions) is now only printed if the kernel was booted in verbose mode. This change was
made to reduce the amount of (generally unnecessary) kernel log messages.

Recomputing the summary information for ``dirty'' UFS and UFS2 file systems is no
longer done at mount time, but is now done by background fsck(8). This
change improves the startup speed when mounting large file systems after a crash. The
prior behavior can be restored by setting the vfs.ffs.compute_summary_at_mount sysctl variable to a non-zero
value.

A kernel panic in the NFS server has been fixed. More details can be found in errata
note FreeBSD-EN-05:01.nfs.

The ftpd(8) program
now uses the 212 and 213 status codes
for directory and file status correctly (211 was used in the
previous versions). This behavior is described in RFC 959.

The getaddrinfo(3)
function now queries A DNS resource records before AAAA records when AF_UNSPEC is specified.
Some broken DNS servers return NXDOMAIN against non-existent AAAA queries, even when it should return NOERROR with empty return records. This is a problem for an
IPv4/IPv6 dual stack node because the NXDOMAIN returned by the
first query of an AAAA record makes the querying server stop
attempting to resolve the A record if any. Also, this behavior
has been recognized as a potential denial-of-service attack (see http://www.kb.cert.org/vuls/id/714121 for more details). Note that
although the query order has been changed, the returned result still includes AF_INET6 records before AF_INET
records.

The create command of the gpt(8) utility
now supports a -f command-line flag to force creation of a
GPT even when there is an MBR record on a disk.

The gvinum(8) utility now supports checkparity, rebuildparity, and setstate
subcommands.

The libarchive library (as well as the tar(1) command
that uses it) now has support for reading ISO images (with optional RockRidge extensions)
and ZIP archives (with deflate and none
compression).

The libgpib library has been added to give userland access
to GPIB devices (using the the pcii driver) via the ibfoo API.

The moused(8) daemon
now supports ``virtual scrolling'', in which mouse motions made while holding down the
middle mouse button are interpreted as scrolling. This feature is enabled with the -V flag.

A separate directory has been added for named(8) dynamic
zones which is owned by the bind user (for creation of the zone
journal file). For more detail, see an example dynamic zone in the sample named.conf(5).

The newfs(8) utility
now supports a -n flag to suppress the creation of a .snap directory on new file systems. This feature is intended for
use on memory or vnode file systems that will not require snapshot support.

The newfs(8) utility
now emits a warning when creating a UFS or UFS2 file system that cannot support
snapshots. This situation can occur in the case of very large file systems with small
block sizes.

The NO_NIS compile-time knob for userland has been added. As
its name implies, enabling this Makefile variable will cause
NIS support to be excluded from various programs and will cause the NIS utilities to not
be built.

The ncal(1) utility
now supports a -m flag to generate a calendar for a specified
month in the current year.

The periodic(8)
security output now supports the display of information about blocked packet counts from
pf(4).

The ppp(8) program
now implements an echo parameter, which allows LCP ECHOs to
be enabled independently of LQR reports. Older versions of ppp(8) would
revert to LCP ECHO mode on negotiation failure. It is now necessary to specify enable echo to get this behavior.

Two bugs in the pppd(8) program
have been fixed. They may result in an incorrect CBCP response, which violates the
Microsoft PPP Callback Control Protocol section 3.2.

The restore(8)
utility has regained the ability to read FreeBSD version 1 dump tapes.

The rm(1) utility now
supports an -I option that asks for confirmation (once) if
recursively removing directories or if more than 3 files are listed in the command
line.

The rtld(1) dynamic
linker now supports specifying library replacements via the LD_LIBMAP environment variable. This variable will override the
entries in libmap.conf(5).

The strftime(3)
function now supports some GNU extensions such as - (no
padding), _ (use space as padding), and 0 (zero padding).

The syslogd(8)
utility now opens an additional domain socket (/var/run/logpriv
by default), with 0600 permissions to be used by privileged
programs. This prevents privileged programs from locking when the domain sockets run out
of buffer space due to a local denial-of-service attack.

The syslogd(8) now
supports -S option which allows to change the pathname of the
privileged socket. This is useful when you do not want the daemon to receive any messages
from the local sockets (/var/run/log and /var/run/logpriv are used by default).

The syslogd(8)
utility now allows : and % characters
in the hostname specifications. These characters are used in IPv6 addresses and scope
IDs.

rc.conf(5) now
supports changes of network interface names at boot time. For example:

ifconfig_fxp0_name="net0"
ifconfig_net0="inet 10.0.0.1/16"

rc.conf(5) now
supports the tmpmfs_flags and varmfs_flags variables. These can be used to pass extra options to
the mdmfs(8)
utility, to customize the finer details of the md(4) file system
creation, such as to turn on/off softupdates, to specify a default owner for the file
system, and so on.

The ports/INDEX* files,
which kept an index of all of the entries in the ports collection, have been removed from
the CVS repository. These files were generated only infrequently, and therefore were
usually out-of-date and inaccurate. Users requiring an index file (such as for use by
programs such as portupgrade(1))
have two alternatives for obtaining a copy:

Build an index file based on the current ports tree by running make index from the top of the ports/
tree.

Fetch an index file over the network by running make
fetchindex from the top of the ports/ tree. This index
file will (typically) be accurate to within a day.

In prior FreeBSD releases, the disc1 CD-ROM (or ISO image)
was a bootable installation disk containing the base system, ports tree, and common
packages. The disc2 CD-ROM (or ISO image) was a bootable ``fix
it'' disk with a live filesystem, to be used for making emergency repairs. This layout
has now changed. For all architectures except ia64, the disc1
image now contains the base system distribution files, ports tree, and the live
filesystem, making it suitable for both an initial installation and repair purposes. (On
the ia64, the live filesystem is on a separate disk due to its size.) Packages appear on
separate disks; in particular, the disc2 image contains
commonly packages such as desktop environments. Documents from the FreeBSD Documentation
Project also appear on disc2.

The supported version of the GNOME desktop environment has
been updated from 2.6.2 to 2.10. More information about running GNOME on FreeBSD can be found on the FreeBSD GNOME Project Web
page.

Users with existing FreeBSD systems are highly encouraged to read the ``FreeBSD 5.4-RELEASE Migration
Guide''. This document generally has the filename MIGRATE5.TXT
on the distribution media, or any other place that the release notes can be found. It
offers some notes on migrating from FreeBSD 4.X, but more importantly, also discusses
some of the relative merits of upgrading to FreeBSD 5.X versus running FreeBSD 4.X.

Important: Upgrading FreeBSD should, of course, only be attempted after backing
up all data and configuration
files.